Free Malware Removal Forum

Welcome to MalwareRemoval.com,What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Over the past week, my anti-virus software and Windows Update have been failing to retrieve the latest virus definitions. In addition, a list of anti-virus and Windows websites/downloads are blocked access. I understood this may be becuase of a Conficker infection. I have downloaded and run almost a dozen Conficker remover tools, some with success reporting no conficker found, others failing to run. I also tried uninstalling/installing at least five different anti-virus and anti-malware programs - all fail updates. I've manually updated the virus definitions after downloading them on different computers, never finding any viruses. Repeated installation attempts of the Microsoft Malicious Software Removal Tool seem to fail and when I've tried to run mrt.exe as Administrator, it reports that the MMSRT "has stopped working". Log files do not catch any recent error codes. My HOSTS file had an extra line that looked suspicious ":: 1" so I replaced my HOSTS file with the one from http://www.mvps.org. I went through each of the Microsoft manual steps for removing the Conficker.b worm (http://support.microsoft.com/kb/962007) and while I found no random service name in netsvcs of my Registry, I found 2 suspicious autorun.inf files which I deleted.

After all this - attempts in both administrator mode and safe mode, across five different internet service providers, I am still unable to update my anti-virus software or access anti-virus websites. Any help will be greatly appreciated.

I closed most running programs and services before generating this HijackThis log:

Computer Name: SKEvent Code: 1003Message: Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 001B24A025E7. The following error occurred: The semaphore timeout period has expired.. Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.Record Number: 226422Source Name: Microsoft-Windows-Dhcp-ClientTime Written: 20090223054116.000000-000Event Type: WarningUser:

This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.Record Number: 258489Source Name: Microsoft-Windows-Security-AuditingTime Written: 20090218095608.230800-000Event Type: Audit SuccessUser:

This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.Record Number: 258490Source Name: Microsoft-Windows-Security-AuditingTime Written: 20090218095608.262000-000Event Type: Audit SuccessUser:

This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.Record Number: 258491Source Name: Microsoft-Windows-Security-AuditingTime Written: 20090218095620.164800-000Event Type: Audit SuccessUser:

This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.Record Number: 258492Source Name: Microsoft-Windows-Security-AuditingTime Written: 20090218095621.132000-000Event Type: Audit SuccessUser:

This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.Record Number: 258493Source Name: Microsoft-Windows-Security-AuditingTime Written: 20090218095624.064800-000Event Type: Audit SuccessUser:

Thank you for your help. This morning, before reading your post, my ESET NOD32 automatically updated for the first time to the 20090224 virus definitions. I still cannot access anti-virus websites like Eset.com, WindowsUpdate.com, WindowsDefender updates, etc.

Disconnect from internet and close running programs.There is a small chance this application may crash your computer so save any work you have open.Double click gmer.exe.Let the gmer.sys driver load if asked.If it gives you a warning at program start about rootkit activity and asks if you want to run scan...say Ok.If no warning....Click the Rootkit/Malware tabTo the right of the program you will see a bunch of boxes that have been checked... leave everything checked. Then click the Scan button. Wait for the scan to finish.Once done click the Copy button.Open Notepad and hit ctrl+v to paste the log. Save the log to your desktop please.

Click the >>> tab. This will open up all available tabs for you.Click the Autostart tab then the scan button. Once its done click the Copy button and paste it into a new notepad document. Save that document to your desktop please.

gmer.exe started and found ROOTKIT activity to which I would click ok scan. It crashed right away each time. I tried running it in SafeMode as Administrator and managed to get it to complete its scan, and I copied the requested results below. I causally noticed the random name service "gaopdxkoyxayvb" which might be the Conficker infection. I have not taken any further action; waiting for your instruction.

You will be asked Are you sure you want to execute the current script?.

Click Yes.

You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.

Click Yes.

Your PC will now be rebooted.

Note: If the above script contains Drivers to delete: or Drivers to disable:, then Avenger will require two reboots to complete its operation. If that is the case, it will force a BSOD on the first reboot. This is normal & expected behavior.

After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).

Note: The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. A guide to do this can be found here. The ones that need to be closed/disabled are:Windows DefenderESET Nod32 Anti-Virus

Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

Who is online

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.